Last week, we released our third annual State of Bug Bounty Report. We were really excited to see the momentum around enterprise adoption, and this year’s report highlights not only the continued growth of the bug bounty model, but also the economics around bug bounty payouts, trends in vulnerabilities, and the continued growth of the crowd.
Casey gave a good overview of the full report last week. For me, one of the most interesting and important themes of the report and one that I’d like to examine a bit further revolves around trends in vulnerabilities.
According to the report, the number of valid vulnerabilities has gone beyond 52,000 in 2017 — an industry high. Further, we saw 25% more critical vulnerabilities submitted than in 2016. The industry with the most critical vulnerabilities were leisure, travel and tourism. The region with the most critical vulnerabilities reported was Europe. On average the number of critical vulnerabilities discovered in the first two weeks of a managed bug bounty program is now 5, up 67% in the last year, while unique submissions is up 40% to 70.
Because of the increasing number of critical vulnerabilities and more complex targets, the average payout for critical vulnerabilities (P1) is also increasing. The average payout for P1 vulnerabilities is now $1,776. Of these submissions, SQL Injection (SQLi) was the most reported at 63% and mobile submissions accounting for the least submissions at 6%. In line with these findings, the average payout for SQLi was the highest at $1,058, while payout for mobile was at $304.
So what does all this mean? The security researcher community is becoming more familiar with the bug bounty model and more creative in finding flaws. New types of systems are emerging (i.e., IoT and automotive), presenting additional opportunity for even more security concerns. Because of these factors, we will continue to see the number of vulnerabilities and incentivizing payouts increase, which paired with the increased need for quick time to action highlights the need for managed bug bounty programs.
The cybersecurity industry is in a crisis for resources. Organizations hardly have the time or resources to triage and validate incoming vulnerability findings from independent researchers. A managed crowdsourced application security testing approach strengthens a company’s ability to do just that, as a vital component of an overall appsec strategy.
Here at Bugcrowd, we value managed programs, and with this high rate of growth, we’ve experienced an unprecedented increase of 224% in collaborative interactions by our security operations and support team. Despite the increase in vulnerability submissions and bounty programs, our team has decreased the first-touch response by 21% and decreased time to validate vulnerabilities by 11%.
Our team provides customers with full-scale bug bounty support and services, of which include expert technical review and escalation of valid vulnerability submissions. We facilitate hundreds of managed bug bounties with tens of thousands of vulnerability reports, escalating high-priority issues within hours and averaging triage within a business day.